Velociraptor 


Digging Deeper! 
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Module overview 


In this module we introduce the tool and explain the rationale behind its 
design. 


We will deploy Velociraptor in a cloud environment - We aim to be as 
close to how one would deploy it on a real deployment as possible. 


We will play with the GUI and introduce some of the main concepts 
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prerequisites 


In order to follow along with this workshop you will need to use a windows 
VM with administrator level access. 


€ Virtual Machines- Mic x + 


€ [e] & developer.microsoft.com/en-us/microsoft-edge/tools/vms/ 
EE Microsoft Microsoft Edge Developer. Resources. Web Platform ~ Tools. Support Careers 


Home \ Tools 


You can grab a free VM from Microsoft | | 
Virtual Machines 


Test IE11 and Microsoft Edge Legacy using free Windows 10 
virtual machines you download and manage locally 


Select a download 


Virtual Machines 


MSEdge on Win10 (x64) Stable 1809 v 


Choose a VM platform: 


Select one v 


VirtualBox 
Vagrant 
VMware (Windows, Mac) 
HyperV (Windows) 
Parallels (Mac) 
supports zip64, like The Unarchiver, to unzip the files. 
The naceword to vour VM is "Passwürd!" 


prerequisites 


In the first part of this session | will be installing Velociraptor in the cloud 
environment on GCP. 


Because of the size of this course we can not provide people with the 
cloud infrastructure so you will need to do this on your own cloud account 
later - this is a demonstration only. 


There are a lot of screenshots in the slides to allow you to replicate this 
later with your setup - we recommend practicing this a couple of times. 
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i ? 
What is Velocirapto' ' 


Velociraptor is a unique DFIR tool, giving you power and flexibility 
through the Velociraptor Query Language (VQL) 


VQL is used for everything: 
Li Collecting information from endpoints (also called clients) 


LJ Controlling monitoring and response on endpoints 
LJ Controlling and managing the Velociraptor server. 
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History 


Velociraptor draws inspiration from two major projects: 
Li GRR https://github.com/google/grr 


Ly OSQuery https://github.com/osquery/osquery 
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ptor VS GRR 


In common 


Hunting across large 
number of endpoints 

Can collect file data 

Free Open source (FOSS) 


Ù O C L L L! 


Different 


Much faster 

Lower footprint 

A flexible query language 
Very simple to deploy 
Event based queries 
Commercially supported 
FOSS 
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velocirapto' vs OSQU 


In common Different 


VQL is much more powerful 
and intuitive than SQL 

Much faster than OSQuery 
Can transfer file data 

Can modify the system 
Remote client/server control 
and orchestration in the same 


tool. : \ 
v 
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LI Rely on a query language 
to access machine state 

D Single binary with no 
dependencies 

LJ Multi-platform 
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Velociraptor Server 


Web based admin console 
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ents 
Typical deploy™ 
Velociraptor is very efficient and scalable: 
M Server simply collects the results of queries - clients 
do all the heavy lifting. 
LJ Client memory and CPU usage is controlled via throttling and 
active cancellations. 


LJ Server is optimized for speed and scalability 
LJ Concurrency control ensures stability 
LI Bandwidth limits ensure network stability 
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Typical deployments 


Current recommendations 

LJ 10k-15k clients - single server with file based data 
store (usually cloud VM). 
LJ SSL load is the biggest load - TLS offloading helps a lot! 
2 8 GB RAM/8 cores is generous towards the top of the range. 


LH We recommend Ubuntu/Debian server 
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Multi-Fro 


L! L! L! L 


ntend configuration 


Available since 0.5.9 - suitable for > 10k endpoints 
Still considered experimental - help us test it! 
Master/Minion model 

Outside the scope of this course but you can find 
more information in our blog post 
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Deployin 
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Run 


Download Velociraptor from GitHub (.msi or .exe) 


"C:\program files\Velociraptor\Velociraptor.exe" gui 
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:\Program Files\Velocirapto 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 


INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 


er.config.yaml 


INFO] 


2020-09-08T05: 


n^:"0.4.9") 


INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 
INFO] 


2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 
2020-09-08T05: 


:06-07: 


:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-97: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 


SSSSSSSSSSSS g 323322223333 


>Velociraptor.exe gui 


1806-07796 
106-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 
:06-07: 


EI Wy yan (_) ME 
Pi oam es SY SES "P PER FOS ere se tee Y MS LES RD FER à 
Ra EAN "iy BR ER EN ERR CRY AP RE FN PSP Seay CENT AUN IST Fon FE ON EN 
[AEN FS En Ne NEAN ff 

EY à 


Digging deeper! https: //www.velocidex.com 

This is Velociraptor 0.4.9 built on 2020-09-02T114:19:59410:00 (62559265) 

No embedded config - you can pack one with the "config repack command 

Env var VELOCIRAPTOR CONFIG is not set 

Loading config from file C:\Users\test\AppData\Local\Temp\server.config.yaml 

No valid config found - will generare a new one at C:\Users\test\AppData\Local\Temp\ser 


Starting Frontend. ("build time":"2020-09-02T114:19:594-10:00", "commit" :"6a559265", "versi 


Starting Journal service. 

Starting the notification service. 

Starting Inventory Service 

Loaded 185 built in artifacts in 97.1217ms 

Starting Label service. 

Starting Hunt Dispatcher Service. 

Selected frontend configuration localhost:8000 
Starting Client Monitoring Service 

Creating default Client Monitoring Service 

Initial user admin not present, creating 

Server upgrade detected -> 0.4.9... running upgrades. 
Upgrading tool OSQueryLinux ["Tool":["name":"OSQueryLinux","github project":"Velocidex/ 


SOuery-Releases","github asset regex":"linux-amd64"}} 
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seit Signed SSL M° 


L4 Frontend served using TLS on port 8000 (connected to clients) 
D GUI uses basic authentication with usernames/passwords. 


D GUI Served over loopback port 8889 (127.0.0.1) 


a By default not exposed to the network 


a You can use SSH tunneling to forward the GUI 


RT 
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Provision a VM in the cloud 
a. Configure DNS (static or dynamic) 
b. Configure OAuth2 SSO 


Generate configuration files 
Build debian packages and install 
Build MSI packages for Windows 
Deploy via GPO/SCCM etc. 


The instructor will demonstrate 
step 1. See the workshop 
setup document for 
credentials. 
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Setting Dynamic DNS with Google Domains 


& domains.google.com/re« 


gle Domains 


All my domains 
Synthetic records 
ommon features, such a main forwarding or G Suite, to your domain in on Each synthetic record is an 
jf resource rec elated c feature. Learn more 
Domain overview 


Dynamo ONG x velocidex-training.com 


Registration settings 


DNS Domain forward 
velocidex-training.com, www.velocidex-training.com — https://www.velocidex.com/training, View setting Delete 


Website 
Dynamic DNS 


Reports vm1.velocidex-training.com 


Need help setting this up? 


Email 


View credentials 
Security 


Get a new domain 


Send feedback 
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53 Configuring 
OAuth consent sereen Google OAuth2 
ne requires a new 
Se mmm n a project and a 
Sun consent screen 


Public 
r 


Internal 
L it 


Verification status 
Being verified (Last approved consent screen is still in use) 


Application name 
f j askin 


Velociraptor 


Application logo 
r eont nsent th fr apr 
] Browse 


Support email 
€ t r 


Do not add an application logo 
or require more permissions - 
Google will require OAuth 
seu verification which can take 
— T weeks! 


OAuth grant limits 
Token grant rate 
Scopes for Google APIs Y rrent per minu 


support@velocidex.com 
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Credentials 


B aer Create credentials to acı 


ige with all services (last 30 days) 9 


ui Library OAuth client ID 
API Keys Requests use nsent so y 
o Name Service account 

uti Enables server-to-server, app-level authentication using robot accounts 

No API keys to displa 

=Œ Domain verificati Help me choose 
OAuth 2.0 Clie Asks few questions to help you decide which type of credential to u 

F (| ag t 

o Name Creation date J Type Client ID 


[]  wmi.training.velocidex.com 


Ser vice Accounts 
o Email Name 4 


[]  1072201830115- »mpute Engine default 
compute@developer. gserviceaccount.com t 


Usage with all 


services (last 30 


days) @ 


Usage with all services (last 30 


days) @ 


Generate OAuth client 
credentials. 

Note you can have multiple 
credentials and multiple 
domains in the same GCP 
project. 
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The redirect URL is the url 
which Google will use to 
For appleatons that use the OAuth 20 procol tcl Google APs you can usean OAuth 20lemt D10 call back to Velociraptor 


Create OAuth client ID 


PSE with the user's successful 
mmm s login. 


vm2.training.velocidex.com 


It must be 
| | https://<domain>/auth/goo 
a... a gle/callback 


o 
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Google Cloud Platform 


APIs & Services 


Dashboard 

Library 

Credentials 

OAuth consent screen 
Domain verification 


Page usage agreements 


$* training v Q m @ na E Q 


Credentials + CREATE CREDENTIALS B DELETE 


Create credentials to access your enabled APIs. Learn more 


API Keys 


o ^ age with all services (last 30 days) 9 
ose OAuth client created 


OAuth The client ID and secret can always be accessed from Credentials in APIs & 


Services 
oe Usage with all 
o OAuth is limited to 100 sensitive scope logins until the OAuth services (last 30 

consent screen is published. This may require a verification days) Q 

rocess that can take several days 
mE. | E : i-p7a.. fo 0 ‘ 

v 15-p7ai3he2 jhr41uik7dcf3cqf64k4n5bq.apps.c D j-q74... Iri 0 4 
P91U8LW207H8qq6gK42gHTke D 

Servic Note the client id and secret - 
D os Usagewih at, We Will need to provide it in the 


ox | days) @ server config. 
D 1 0 


compute@developer.gserviceaccount.com service account 


Installin 


g a new server 


Use the password provided in the Workshop setup to log 
into the server. 


1. 


2. 


Fetch the latest Velociraptor Windows and Linux 
release binaries 


Create a new configuration 
a. velociraptor config generate -i 


Create a new server debian package 
a. velociraptor --config server.config.yaml debian server 
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Installing 9 new 


1. Push the debian package to the server using scp 
a. scp velociraptor server*.deb mike@123.45.67.89:/tmp/ 


2. Install package 
a. sudo dpkg -i velociraptor server*.deb 
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( Latest release ) 


C» v0.5.5-1 
-O- 98119e5 


| Verified | 


Compare v 


Release 0.5.5-1 


v scudette released this 9 days ago - 9 commits to master since this release 


This is a bugfix release from 0.5.5. Thanks for the bug reports and feedback. 
Major issues fixed: 


1. Memory leak in foreach() plugin 

2. Python gRPC API handler crash 

3. GUI Fix welcome screen logo was shown with incorrect size 
4. GUI Fix VFS browser showing paths with 96 in their name 


5. File based merge sort would fix memory issue on large ORDER BY queries. 
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© velociraptor-v0.5.5-1-darwin-amd64 


© velociraptor-v0.5.5-1-linux-amd64 


© velociraptor-v0.5.5-1-windows-386.exe 
© velociraptor-v0.5.5-1-windows-amd64.msi 
R) Source code (zip) 


ff) Source code (tar.gz) 
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pss 


da 


C:\Users \mike\Downloads> velociraptor-v8.4.3.3-windows-amd64.exe config generate -i 
? Please select the datastore implementation 


FileBaseDataStore 


? Path to the datastore directory. /data/ 


Welcome to the Velociraptor configuration generator 


I will be creating a new 


deployment configuration for you. I will 


begin by identifying what type of deployment you need. 


Authenticate users with 
? What is the public DNS 
? What is the public DNS 
? Enter the Google OAuth 
? Enter the Google OAuth 


Google OAuth SSO 

name of the Frontend (e.g. www.example.com): [? for help] (www.example.com) vmi.tnraining.veloci 
name of the Frontend (e.g. www.example.com): vmi.training.velocidex.com 

Client ID? 1872201838115-q7401s1mu2u: ;.googleusercontent.com 

Client Secret? 4VHulu SWwTUg 


? Are you using Google Domains DynDNS? Yes 

? Google Domains DynDNS Username iYvayziLj [T 

? Google Domains DynDNS Password 2Xst 

> GUI Username or email address to authorize (empty to end): 

? Path to the logs directory. /data/logs 

? Where should i write the server config file? server.config.yaml 
? Where should i write the client config file? client.config.vyaml 


Generate new configuration with the details in the 


Workshop setup document. 
Make sure to use /data/ as this will run on Linux Iv] 


- 
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ion 
ing config generati 
Automat 
LJ Some people want to automate the config generation 
step. 
M Velociraptor supports a JSON merge for non 
interactive configuration generation 


velociraptor config generate --merge 
'["autocert domain": "domain.com", “autocert cert cache: "/foo/bar"]' 
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e 
er deb packag 
VAT as serv 
Building 

./velociraptor-v0.5.5-windows.exe --config 
~/server.config.yaml debian server 
--binary velociraptor-v0.5.5-windows.exe 


config.yaml debian server 


lociraptor-v8.4.3.3-windows-amd64.exe --config server. 


C:\Users\imike\Downloa 
--binary velociraptor 
C:\Users\mike\Downloa 
Volume in drive C ha 
Volume Serial Number is 883C-9DFAÀ 


Directory of C:\Users\mike\Downloads 


73,652,486 bytes free 


C: \Users \mike\Downloads> m 


er 
peploying the = 


scp the deb file to the target server 


Users \mike\Download ^à E server.deb mike@34 
he authenticity of ho 34 (3 3.48)' can't be 
key fingerprint is SHA256:C IPmx95 Y D9«c oYGZT7ML5 dF bj 1X 
you sure you want to continue connecting ¢ 
tly added '34.71.243.48' (EC 
c T 


velociraptor 8.4.3 server.deb 1005 14MB  78.6MB/s 


9$ 
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Lau LVL. INM xcu 
ike@vmi-training:~ 
Selecting a lues E E 
(Reading database ... 37691 files dad. deer rantes been Le installed.) 

Preparing to unpack .../velociraptor 8.4.3 server.deb ... 

Unpacking velociraptor-server (8.4.33 

dpkg: dependency problems prevent configuration of velociraptor-server: 
velociraptor-server depends on libcap2-bin; however: 
Package libcap2-bin is not installed. 


dpkg: error processing package velociraptor-server (--install): 
dependency problems - leaving unconfigured 
Errors were encountered while processing: 


velociraptor-serve 
ike@vmi-training:4$ sudo apt-get install -f 


Reading package lists... Done 
Building dependency tree 

Reading state information... Done 
Correcting dependencies... Done 


he following additional packages will be installed: 
libcap2-bin libpam-cap 
he following MEW packages will be installed: 
libcap2-bin libpam-cap 
8 upgraded, 2 newly installed, 8 to remove and 8 not upgraded. 
1 not fully installed or removed. 
Need to get 48.8 kB of archives. 
fter this operation, 128 kB of additional disk space will be used. 
Do you want to continue? [Y/n 


When installing the deb 
package you might need to 
install dependencies by using 
"apt-get install -f" 


© 2020 Velocidex Enterprises 


Setting up velocinaptor- ser ver (6. 4.3) 
ae group ~velociraptor’ (GID 112) 


Adding RUN user Suc Ne KUED 188) 


À group ' velociraptor' 
Not creating home directory ` fetc/velociraptor/'. 
Created symlink /etc/systemd/system/multi-user. target .wants/velociraptor_server.service > fetc/systemd/sys 
tem/velociraptor_server.service. 
Processing i sag on—m 
mike@vmi-training:~ 
E ETO rate server.service - Velociraptor linux amd64 
Loaded: emd/system/velociraptor_server.service; enabled; vendor preset: enabled) 
Active: active SCUSA since Thu 2028-85-28 81:43:35 UTC; 36s ago 
Main PID: 
Tasks: 9 (limit: 4915) 
CGroup: /system.slice/velociraptor_server.service 
l-1556 /bin/bash /usr/local/bin/velociraptor --config /etc/velociraptor/server.config.yaml fron 


tend 
L-1557 /usr/local/bin/velociraptor.bin --config /etc/velociraptor/server.config.yaml frontend 


May 28 81:43:35 vmi-training systemd[1]: Started Velociraptor linux amd64. 
mike@ymi-training:-$ 


The service adds a new velociraptor user to run under. 
You can now access the Velociraptor server using your 
browser. 
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ic@velotest:-$ ./velociraptor-v0.4.3-linux-amd64 --config server.config.yaml debian server 

ic@velotest:-$ sudo dpkg -i velociraptor 0.4.2 server.deb 

Reading database ... 39245 files and directories currently installed.) 

reparing to unpack velociraptor 0.4.2 server.deb ... 

emoved /etc/systemd/system/multi-user.target.wants/velociraptor server.service. 

npacking velociraptor-server (0.4.2) over (0.4.1) ... 

etting up velociraptor-server (0.4.2) ... 

reated symlink /etc/systemd/system/multi-user.target.wants/velociraptor server.service + /etc/systemd/system/velociraptor server.service 


ic@velotest:-$ sudo service velociraptor server status 
| velociraptor server.service - Velociraptor linux amd64 
Loaded: loaded (/etc/systemd/system/velociraptor server.service; enabled; vendor preset: enabled) 
Active: active (running) since Mon 2020-05-11 13:36:33 UTC; 15s ago 
Main PID: 5492 (velociraptor) 
Tasks: 9 (limit: 4915) 
CGroup: /system.slice/velociraptor server.service 
5492 /bin/bash /usr/local/bin/velociraptor --config /etc/velociraptor/server.config.yaml frontend 
5493 /usr/local/bin/velociraptor.bin --config /etc/velociraptor/server.config.yaml frontend 


lay 11 13:36:33 velotest systemd[1]: Started Velociraptor linux amd64. 


Build a Debian package using the new configuration file. 
Install the package 


Check the new service is running properly. \ 
A 


| 
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veleases » Velocidex/velociraptor X New Tab 


https:[/vm 1.training.velocidex.com / 


€  https://vm 1.training.velocidex.com 


https:/Avm 1.training.velocidex.com/ - Google Search 


The first time you navigate to the SSL URL the server will 
obtain a certificate from Let's Encrypt. There will be a 
small pause as this happens. 


o 
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You will be redirected to Google 
for authentication - Velociraptor 
Choose an account does not handle any credentials 


to continue to velocidex.com 


in this configuration. Google will 
determine if the user 
authenticated properly (2 FA etc) 
and convey simple info like the 
user's email address and avatar. 


o 
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User permissions 


When running the deb package Velociraptor is running 
as a non-root user with limited permissions. You must 
change to this user before manipulating any data, or the 
service may not be able to open the modified files. 
LJ Velociraptor will refuse running as another user or as 
root to prevent permission problems 
sudo -u velociraptor ... 


:-$ velociraptor user add joe@example.com --role reader 

'/etc/velociraptor/server.config.yaml' is not readable, you will need to run this as the velociraptor user ('sudo -u velociraptor bash'). 
:-$ sudo velociraptor user add joe@example.com --role reader 

velociraptor.bin: error: Velociraptor should be running as the 'velociraptor' user but you are 'root'. Please change user with sudo first 


:~$ sudo -u velociraptor velociraptor user add joe@example.com --role reader 


Authentication will occur via Google - therefore no password needs to be set. 


Velociraptor uses a simple role based access control 
scheme for now 


_J Various Actions require specific permissions 
J Users are granted roles which bestow them with a set 


of permissions. 


RT 
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Granting 2 
1. 


user role 


Currently roles are hard coded 

administrator - Can do anything without limits 

reader - Can read collected data and notebooks 

api - Can connect over the API (more later) 

analyst - reader * create bulk downloads, edit notebooks 
investigator - analyst * schedule new collections and hunts 
artifact writer - powerful role that allows the user to create 
and modify artifacts (more on this later) 


pap pep od 
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Just because a user is authenticated by Google does not 
mean they have access to the Velociraptor console! 


You must authorize each user to access the console by 
granting them at least the reader role. 


Manipulate acls using the "acl show" "acl grant" command 


elociraptor@velotest:/home/mic$ velociraptor acl grant mike@velocidex.com --role reader,investigator 
elociraptor@velotest:/home/mic$ velociraptor acl show mike@velocidex.com 

"roles":["reader","investigator"]) 

elociraptor@velotest:/home/mic$ velociraptor acl show --effective nike@velocidex. com 

"any query":true,"read results":true,"label clients":true,"collect client":true,"notebook editor":true,"prepare results":true) 
elociraptor@velotest: /home/mic$ 


eb) 
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Server status 
Currently there are O clients conr 


Your Velociraptor 
server is ready. 


You should have a 
valid SSL Cert and 
Avatar provided by 
Google OAuth2 
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Velociraptor interna 
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Digging into Velociraptor 
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The file store 


Velociraptor uses a filestore abstraction to store data. 
By default, we use a simple directory structure in the 
filesystem. 
LJ Having simple files simplifies data retention, data 
migration, backups etc. 
_J Makes it easy to integrate with another system 
(use scp or rsync to just copy files around). 
J If files are deleted, Velociraptor will just recreate 
them - it is safe to just remove everything! Ÿ 


= 
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Now let's configure some clients. 
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i ients 

We typically distribute signed MSI packages which 
include the client's config file inside them. 

This makes it easier to deploy as there is only one 
package to install. 


We also change name of service/binary etc to make the 
service a little bit harder to stop. 


oe 
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Deploying clients 


It is possible to embed the config in the clients using the 
velociraptor config repack command (more later) 


Pros 
LJ Only a single binary no need for an additional config 
file 
Cons 
_J You have to sign the binary again since the config | 
alters the binary. 9) 
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| : inaries 
Resigning P! 
After buying a code signing cert you can use a script to 
sign automatically. 
We recommend having a standalone isolated signing 
machine or VM with FDE 


#!/bin/bash 


osslsigncode sign -pkcs12 ~/private/code sign.pkcs12 -n "Velociraptor" \ 
-h sha2 -t http://timestamp.verisign.com/scripts/timstamp.dll \ 


-i https://ww.velocidex.com/ \ 
-in "$1" -out "$1.signed.exe" -askpass 


mv "$1.signed.exe" "$1" 


rapto x 


@ github.com /Velocid 


E 


ptor/releases 
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C] velociraptor-v0.3.8-darwin-amd64 

CP velociraptor-v0.3.8-linux-amd64 

© velociraptor-v0.3.8-windows-386.exe 

A velociraptor-v0.3.8-windows- amd64.exe 


C] velociraptor-v0.3.8-windows-amd64.msi 


[£) Source code (zip) 


E) Source code (tar.gz) 


On your windows 
machine, 
Download the 
latest binary and 
the source code. 
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_aptor’s public directory 
VelociraP o 

It is handy to have somewhere to serve files from. 
Velociraptor has a public directory where files are served 
without any authentication requirements 


_J We can use this to distribute third party binaries 
_J We can serve velociraptor MSI files 
Li We can serve various support files (yara rules etc). 


oe 


9 


v 
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r's public directory 

velocirapto 
Select the Admin.Client. Upgrade artifact and upload the 
MSI to the tools setup page (We will learn about that in 
the next few sessions). 


This will now produce a random URL you can serve the 
MSI from. 
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\e 
= 


S 


BIBH- 


— 


^ BH » ThisPC » Downloads » velociraptor-0.4.3 > velociraptor-0.4.3 » docs > 


# Quick access 
B Desktop 
L Downloads 
Documents 
(=) Pictures 


Share 


t 
# 
* 
+ 


View 


Name 


TC V MODUM NI 


| Compressed Folder Tools 


* 


docs 


Type 


File folder 
File folder 
File folder 


Cc 


File folder 
SYSO File 
SYSO File 


Alm g > | wix 
Extract the docs/wix directory oe | onare Mew 


1 Cut à hh 
from the Velociraptor source B8B... X i 
tree. icm Copy Paste $] Paste shortcut ys Copy us Rename Ney. E 
. . Clipboard Ne 
These are the required files to € + 4 || ThifPC » LocalDisk(C) > Users > mike > 
construct a new MSI I Desktop ^ Name Date modified 
. " . 4 Downloads [Sl bui /31/2020 2:12 P 
The main file we use is E ons = [60 Jai 
: " . =| vocuments = custom 1/31/2020 2:12 PI 
custom.xml . This file will embed à picture: ] README.md 1/31/2020 2:12 PI 
the config file within the MSI and usc pa “elociraptar eese 
deploy it to the correct directory. ^ 3: objects 
E Desktop 


=| Documents 
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\wix\release\velociraptor.xml - Notepad++ 


Edit Search View Encoding Language Settings Tools Macro Run Plugins Window 
4 a ig © 0| m#e|2S/BSl\>1Feehae|\s » 


, Ji^ encoding-'windows-1252'25 
y="Software\Velocidex\Velociraptor" 2» 
ription-"Velociraptor Service Installer" 
Manufacturer-"Velocidex" 2 


Name-"Velociraptor" ?» 
V ="0.50.1" 
ne="Velociraptor.exe" 2> 


There are many knobs to tweak 
here 
e The name of the binary 


«Product Name-'$(var.Name)' Manufacturer='§ (var.Manufacturer) ' e The location of the files 
ode="'82E586E1-1700-4041-9042-8946BE19B69F" e The name of the service 
'1033' Codepage='1252' Version-'$(var.Version)'» 
Keywords-'Installer' Description-"$ (var.PackageDescription)" e. The name of the config 


" file. 


Languages-'1033 Compressed-'yes 
«Media I raa "engin codi EmbedCab-'yes' DiskPrompt-'CD-ROM #1' /> WIX will take the binary and 
«Property Id-'DiskPrompt' Value-"Installation [1]" /» config file from the Output 
«Directory Id-'TARGETDIR' Name='SourceDir'> directory, SO create it and place 
«Directory Id-'ProgramFiles64Folder' Name='PFiles'> the files there. 


«Directory Id-'INSTALLDIR' Name-'$(var.Name)'-^ 
Id-"CACHEDIR" Name-"Tools"» 
Id-"Tools" Guid-"97dc953a-8a2f-494f-9585-56ae526d0b48"» 


«/Directory» IV] 
53 «Component Id-'MainExecutable' ex Enterprises 


<Directory 


C:\Windows \system32>cd \Users\mike\Desktop\wix 


C:\Users \mike\Desktop\wix> dir 
Volume in drive C has no label. 
Volume Serial Number is 883C-9DFA 


Directory of C:\Users\mike\Desktop\wix 


05/28/2020 
05/28/2020 
05/28/2020 
05/28/2020 
05/28/2020 
05/28/2020 
05/28/2020 
05/28/2020 
05/28/2020 
05/28/2020 


C:\Users\mike\Desktop\wi 


C:\Users\mike\Desktop\wix}copy 
1 file(s) copied. 


7:82 AM «DIR» 
:02 AM <DIR> 


762 AM 364 buid_x86.bat 

762 AM 314 build.bat 

762 AM 302 build custom.bat 

:82 AM 318 build x86 custom.bat 
:82 Am 3,084 custom.xml 

:802 Am 3,006 custom x86.xml 

:82 AM 2,473 README.md 

:82 AM 2,766 velociraptor.xml 

8 File(s) 12,479 bytes 


2 Dir(s) 35,698,766,336 bytes free 


..\..\Dounloads\velociraptor-v8.4.3.3-windous-amdé64.exe output\velociraptor.exe 


C:\Users\mike\Desktop\wix>copy ..\..\Downloads\client.config.yaml outputXclient.config.yaml 
1 file(s} copied. 


v 
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C:\Users\mike\Desktop\wikbuild custom.bat 


C:\Users\mike\Desktop\wix>"c:\Program Files (x86)\WiX Toolset v3.11\bin\icandle.exe" custom.xml -arch x64 -ext “c:\Progr 
m Files (x86)XWiX Toolset v3.11\bin\wixUtilExtension.dll" 

Windows Installer XML Toolset Compiler version 3.11.2.4516 

Copyright (c) .NET Foundation and contributors. All rights reserved. 


custom.xml 


C:\Users\mike\Desktop\wix>"c:\Program Files (x86)\WiX Toolset v3.11\bin\light.exe" custom.wixobj -ext “c:\Program Files 
(X86) NWiX Toolset v3.11\bin\wWixUtilExtension.dll" 

Windows Installer XML Toolset Linker version 3.11.2.4516 

Copyright (c) .NET Foundation and contributors. All rights reserved. 


C:\Users \mike\Deskt ce XI 


Volume in drive C has no label. 
Volume Serial Number is 883C-9DFAÀ 


Directory of C:\Users\mike\Desktop\wix The custom msi contains the 
client config embedded in it. 
05/28/2020 62:06 AM 15,093,760 custom.msi | 
1 File(s) 15,893,760 bytes 


Ə Dir(s) 35,625,000,960 bytes free This is the recommended way 


en Se bte tail fo Cogley BIENS. 
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€ > © à vmitraining.velocidex.com/app.htmls*/search 


Online ClientiD Host 


: Microsoft Windows Server 2019 
© C.208d5bd6aaebce1b windows-2 : nn Ga 17762 
Datacenter10.0.17763 Build 17763 


After installing the MSI you 
should be able to see it 
immediately in the server's 


search screen. 
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i ment 

Domain deploy 
We can deploy the MSI to the entire domain using group 
policy. 


2 Methods 
1. Via scheduled tasks. 
2. Via assigned software. 


\e 
= 


S 
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ab This PC Local Disk (C:) 


| à Shared Properties X I Create a share 


Quick access : | 
|.» PerfLogs General Sharing Security Previous Versions Customize to serve the 


Desktop 
iy P Files 

Downloads Li E cpi Network File and Folder Sharing MSI from ` 

T |. Program Files (x86) 


Shared 
Documents 
Shared L Shared | 


=) Pictures | L Users 


M Windows 
This PC ponds 


3D Objects 


Desktop 
Advanced Sharing 
Documents | 
Set custom permissions, create multiple shares, and set other 
Downloads advanced sharing options. 
Music z 
@ Advanced Sharing... 
® Pictures 
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E Network access 


ype a name and then click Add, or click the arrow to find someone. 


Name Permission Level 


2 Administrator Read/Write w 


38, Everyone 


@ Share 


Cancel 


Ensure everyone has 
read access from this 
share - and only 
administrators have 
write access! 
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o 


iV 


^ 
-D5 


d 
5 


Group Policy Management 


File Action View Window Help 


» sz EI e 


n 
-n 


d 


Group Policy Management 
A Forest: test.velocidex.com 
v (gy Domains 
v Xj test.velocidex.com 
=! Default Dc 
Domain C 
v Group Pol 
Defaul 
Defaul 
= WMI Filter 
jg] Starter GP 
fa Sites 
4 Group Policy Mo: 
4 Group Policy Resi 


H Ru: 


Itest.velocidex.com Use the group policy 
Status Linked Group Policy Objects Group Policy | management tool create a 
——— —À— seme new Group Policy Object in 
Create a GPO in this domain, and Link it here... : 
Link an Existing GPO... the domain (or OU) 


Block Inheritance 


Group Policy Modeling Wizard... velocidex.c« 
New Organizational Unit 


sts for this 
SRE ists for this d 


Change Domain Controller... gather infra 
Remove 

Active Directory Users and Computers... 

View > 

New Window from Here 


Refresh 


Properties o 


lect an existing GPO and link it to this container € 2020 Velocidex Enterprises v 


=, Group Policy Management 
= File Action View Window 
e| mlh E] e 
=, Group Policy Management 
v AA Forest: test.velocidex.com 


v LS Domains 


v = test.velocidex.com 


Help 


? lia: 


x] Default Domain Policy 


x; Install Velociraptor 
Domain Controllers 


v L:} Group Policy Objects 


Default Domain Controllers P: 


Default Domain Policy 


Install Veloriprtrr 


y WMI Filters 
E Starter GPOs 
ig Sites 
sy Group Policy Modelir 
* Group Policy Results 


« 


Open the GPO editor 


E Nehunrl 


Edit... 
GPO Status 


Back Up... 


Restore from Backup... 
Import Settings... 
Save Report... 


View 


New Window from Here 


Copy 
Delete 


Rename 


Edit the new 


Install Velociraptor 
Scope Details Settings Delegation Status GPO 
Links 
Display links in this location: test velocidex com 


The following sites, domains, and OUs are linked to this GPO: 


Location Àj Enforced Link Enabled 


g test velocidex.com No Yes 


PO can only apply to the following groups, users, and comput 


Jsers 


Remove 


» the following WMI filter: 
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À Group Policy Management es L1 


t File Action View Window Help - B8 


»-|zuumBxs Hg 


à Group Policy Management Install Velociraptor e 
^ À Forest: test.velocidex.com 
v [Æ Domains 5! Group Policy Management Editor ES E X 2 


v #3 test.velocidex.com 
ia, Default Domain Poli 
m] Install Velociraptor 
> Ei Domain Controllers 
v (= Group Policy Obje: 
.£f Default Domain 
=! Default Domain 
=} Install Velocirapt 
> E WM I Filters 
> dg Starter GPOs 
> Lg Sites 
8 Group Policy Modeling 
E3 Group Policy Results 


File Action View Help 
€*v|ngiEBiwsbp Ha + 
LE Install Velociraptor [WIN-NQ49SQJOLAH.TE 


v © Computer Configuration Sc h ed u led Tas ks 


> ©) Policies 
v |^ Preferences 
> Windows Settings 


bé Control Panel Settings There are no items to show in this view. 
fad Data Sources 


a Devices 
e Folder Options 
G Local Users and Groups 


Network Options Daa y Scheduled Task 


u Power Options All Tasks > Immediate Task (Windows XP) 
d Pri 
$$ Printers Scheduled Task (At least Windows 


Scheduled Tasks Refresh 
Sy Services Immediate Task (At least Windows 7) 


kaii Vi 
v ff User Configuration Mers doers 4 x 
> Policies No policies selected Arrange Icons 
> |] Preferences Line up Icons 


Help 


Order Action Enabled 


Processing 


< > A Preferences Á Extended À Standard / 


Creates a new item in this container. 


Gitems — litem sele 


4 


New Task (At least Windows 7) Properties 
Fil 
«| General Actions Conditions Settings Common 
<= 
Action: Create 
J v . i 
] Name: Install Velociraptor 
| Author: TEST Administrator 
> Description: i 
Security options 
| Change User or Group... 
@)Run whether user is logged on or not 
v Run with highest privileges 
[ ]Hidden Configure for: | Windows® 7, Windows Server™ 2008R2 v 
ji 
Cancel Apply Help 
< 


NPA 5| 


Ensure the 
new 
scheduled 
task is run as 
system 


o 
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"il 
General Actions Conditions Settings Common 


i New Action x 
When you create a task, yd 


Action You must specify what action this task will perform. 


Action: Start a program 


Settings 
Program/script: 


msiexec.exe 


Add arguments(optional): 


Start in(optional): | 


New... 


Cancel | | Help 


Using scheduled tasks you can 
run any binary - use this method 
to run interactive collection if 
you do not have a dedicated 
Velociraptor server 
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New Task (At least Windows 7) Properties 


General Actions Conditions Settings Common 


Options common to all items 


| | Ensure the 
E Stop processing items in this extension if an error occurs. 
ogged ecurity context licy opt new 

CREME TNS TIENT WEI ICTS Ts tone applied. | 
Apply once and do not reapply. SC h e d u le d 
D] Item—eyel targeting e 

task is run 
only once 


Description 


Cancel Apply Help 
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| Group Policy Management Editor 


File Action View Help 


a b| B 


5 - A [ e e 
:f Install Velociraptor [WIN-NQ49SQJOLAH.TE|| Name Version Deployment st.. Source t M et h od 2 m | n sta | l VI a 


A Computer Configuration 
v |] Policies There are no items to show in this v 


oM | | assigned software 


Cd Software installation 


vs Settings k H G PO 
ative Templates: Polic pa C ages | n 
~] Preferenc 
=] Windows Settings 
( Control Panel Settings 
ser Configuration 
. | Policies 
=| Preferences 


New Package... 


Paste 
Refresh 
View 


Arrange Icons 
Line up Icons 


Properties 


< Help 


The main advantage here is 
that it is possible to upgrade or 


Creates a new item in this container. 


uninstall Velociraptor easily 
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WIN-NO49SQJOL... Shared 


Organize v New folder 
Jj 3D Objects EA Name 
lil Desktop fey velociraptor 
Documents iB velociraptor-v0.3.8-windows-amd64 
- Downloads 
| Music 
Pictures 


| Videos Deploy Software 


Local Disk (C:) a 
^| Select deployment method: 
4 DVD Drive (D:) S! 


- Network 
E| WIN-NQ49SQJOI ane 


A 
v & C) Advanced 


File name: | v| Windows In: | Select this option to Assign the application without modifications. 


Open 


| Tz 
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Group Policy Management Editor 
File Action View Help 


leeinmESÓSHm 


Install Velociraptor [WIN-NQ49SQJOLAH.TE 
v ff) Computer Configuration 
v Policies 


Name Version 
A Velociraptor 0.36 


Software Settings 
C Software installation 
Windows Settings 
Administrative Templates: Polio 

Preferences 
Windows Settings 

(4 Control Panel Settings 

v ff User Configuration 
v Policies 

Software Settings 
[3] Software installation 
Windows Settings 
Administrative Templates: Polic 

Preferences 


Deployment st... 


Assigned 


Source 


\\WIN-NQ49SQJOLAH\Shared\velociraptor.msi 


You will need to wait until group 
policy is updated on the 
endpoint or until the next 
reboot. The endpoint must be 
on the AD LAN 
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À Velociraptor GUI tour 


9) 


V 
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The Dashboard 


The Dashboard shows the current state of the installation: 


D How many clients are connected 
D Current CPU load and memory footprint on the server. 


When running hunts or intensive processing, memory and CPU 
requirements will increase but not too much. 


You can customize the dashboard - it's also just an artifact. 


9) 
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= Ÿ Search clients Q  &Show Al 


9) 


a 


M de. 


Velociraptor 


Welcome to Velociraptor! 
Common tasks: 


e Inspect the server's state 

e Building an Offline Collector 

e Write VQL notebooks 

e Customize this welcome screen 


Or simply search for a client in the search bar above 
You can always get back to this welcome screen by clicking the little green reptile abovel 


Tips 


1. Press ctr1-/ to view keyboard hotkeys 


Q BS Shov Al i9 | admin 


Bl Last Day ~ 


Server status 


The following are total across all frontends 


CPU and Memory Utilization Currently Connected Clients 
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Clients have a 

Server status 
persistent A rs 
connection to 
the server. 


|| lc 


They're ready 
to receive your 
commands. 


10 Jun11 Jun12 Juni3 Jun 14 


searching for a client 


To work with a specific client we need to search for it. 


Press the Search or Show All icon to see some clients 


3 all al = show all g admin 


©! online $ Client ID Hostname + OS Version Labels 
# |o Q [Z c.e918dd461d043db2 DESKTOP-25CK4TB localdomain Microsoft Windows 10 Enterprise Evaluation10.0.19041 Build 19041 

© 

a 
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ients | 
search fo" “abel or client ID- 


hostname. 1" 
You can start typing the hostname to auto-complete 


= Ÿ del Q ÆShowAI 


JN" desktop-25ck4tb 


desktop-25ck4tb.localdomain z 


"ID CZ C.e918dd461d843db2 DESKTOP-25CKATB localdomain 
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+ 


gm 


HA 


CN 


Client overview 


The server collects some high level information about each endpoint. 


Click VQL Drilldown to see more detailed information: 


LJ Client version 
LJ Client footprint (memory and CPU) 


[7 


You can customize the 
information collected and shown 
by editing the 


Generic.Client.Info artifact. 
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i Ÿ de Q BsShow4All DESKTOP-25CK4TB localdomain @ g admin 


Q Interrogate mm VFS  'D Collected O Overview ¥=VQL Drilldown > W Shell 


DESKTOP-25CK4TB localdomain 


Client ID C.e918dd461d043db2 


Agent Version 2020-10-22T23:03:33+10:00 

Agent Name velociraptor 

Last Seen At 2020-10-22 13:15:13 UTC 

Last Seen IP 127.0.0.1:52511 Clients have a unique ID 
starting with “C.”. Internally the 

Operating System windows client id is considered the most 

Hostname DESKTOP-25CK4TB.localdomain accurate source of end point 

Release Microsoft Windows 10 Enterprise Evaluation10.0.19041 Build 19041 identity 

Architecture amd64 


Each client has arbitrary 
metadata so you can integrate it 
easily into your procedures 


Client Metadata Key Val 


+ W Escalate 


+ W Investigator 
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a admin 


Ll Overview £z VQL Drilldown Shell 


DESKTOP-25CK4TB.localdomain ( C.e918dd461d043db2 ) @ 2020-10-22 06:16:14.400368928 -0700 PDT 
HALE 
Labels Hostname OS Architectu 


DESKTOP- windows amd64 
25CK4TB 


Memory and CPU footprint over the past 24 hours 


The GUI consists of familiar widgets: Here we 
can see the table widget which repeats often 


By default, VOL Drill 
Down shows the 
recent memory and 
CPU load of 
Velociraptor on the 
endpoint as well as 
the list of users. 


This screen simply shows the 
report of the Generic.Client.Info 
artifact - you can edit the artifact 


to collect more/different info. 
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Q BShowAll DESKTOP-25CKATB localdomain @ 


A Overview = VQL Drilldown 


| Q Interrogate mm VFS "© Collected 


DESKTOP-25CK4TB.localdomain ( C.e918dd461d043db2 ) @ 2020-10-22 06:16:14.400368928 -0700 PDT 


m- | | + 
Clear All Labels Platform PlatformVersion KernelVersion Fqdn ADDomain 
Microsoft Windows 10 Enterprise 10.0.19041 Build DESKTOP- WORKGROUP 
33+10:00 Evaluation 19041 25CK4TB.localdomain 
Showing rows 1 to 1 of 1 


Hostname 
os U footprint over the past 24 hours 


Architecture 


You can show/hide columns as 
needed - this helps to see wider 
columns 
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Raw Response JSON 


"Name": 
"BuildTime": 
"Labels": null, 
"Hostname": 
Se 2 | , 
"Architecture": 
"Platform": 
"PlatformVersion": 
"KernelVersion": 
"Fans 2 T 
"ADDomain": 


You can see the raw data 
behind each table: 
e  Atable is simply a list of 
rows 
e Each row is a mapping 
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2) Sea ants Q BShowAll DESKTOP-25CK4TB.localdomain @ [e | admin 


Q Interrogate & VFS ‘Collected O Overview | fz VQL Drilldown — »— Shell 
Ie Isid Get-LocalGroupMember -Group "Administrators" 


Velociraptor allows running shell 
commands on the endpoint 
using Powershell/Cmd/Bash 


Only Velociraptor users with the 
administrator role are allowed to 
| . m do this! 
You can disable client shell ability by 


configuration policy - but this limits your 
DFIR efficacy. 


Actions are logged and audited 


o 
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The Virt 


ual File System (VFS) 


The VFS visualizes some server-side information we collect about the 
clients. 


Top level corresponds to the type of information we collect: 


nm 


m" 
n" 
n" 


File - Access the file system using the filesystem API 

NTFS - Access the file system using raw NTFS parsing (Windows 
Only) 

Registry - Access the Windows Registry using the Registry API 
(Windows Only) 

Artifacts - A view of all artifacts collected from the client sorted by 
artifact type, and then times when they were collected. «) 
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e 


+ 


Uses the OS APIs to access files (unless locked then it fallback to NTFS) 


= Ÿ Search clients 


"Oo %* © > 


m 


ID 


zm file 


Ba Program Files 


gram Files (x86 


@ artifacts 


Q BShow All 


DESKTOP-25CK4TB.localdomain @ connected 


All Users 


Stats Textview 


C:\Users\desktop ini 


Size 

Mode 

Mtime 

Atime 

Ctime 

Last Collected 


Fetch from Client 


174 -IW-TW-IW- 
0 Lrw-rw-rw- 
HexView 
174 
-IW-IW-IW- 


2019-12-07T09:12:42.731564Z 


2020-10-22T 13:00:50.8566571Z 
2019-12-07T09:14:54.4124461Z 


mtime + atime + 
2019-12- 2020-10- 
07T09:12:42 7315647 22713:00:50.8566571Z 
2019-12- 2019-12- 


07T09:30:39.0536837Z 07T09:30:39.0536837Z 


Properties 


2020-10-22 13:28:56 UC Download 


7A Do Collact fram the cliont 


admin | 


ctime + 
2019-12- 
07T09:14:54 4124461Z 


2019-12- 
07T09:30:39.0536837Z 


+ 


NTFS Accesso! 


Uses raw NTFS parsing providing access to special files and ADS 


= Show All 


—= 3 Search clients Q 


= x BR 


< $MFT 


B SMFT 


$MFTMirr 


Stats Textview 


System Volume Information 
Ba Users 
@ Windows 
Ba registry 
Be artifacts 


WACASMFT 


Size 
Mode 
Mtime 
Atime 


Ctime 


DESKTOP-25CK4TB localdomain @ connected 


+ Size + Mode $ mtime $ atime + 
262144000 -rwxr-xr-x 2020-10- 2020-10- 
13T05:20:00.6030247Z 13T05:20:00.6030247Z 
4096 -rwxr-xr-x 2020-10- 2020-10- 
13T05:20:00.6030247Z 13T05:20:00.6030247Z 
HexView 
Properties 
262144000 mft 0-128-6 
-TWXI-XI-X name type DOS+Win32 


2020-10-13T05:20:00.6030247Z 
2020-10-13T05:20:00.6030247Z 
2020-10-13T05:20:00.6030247Z 


admin 


ctime $ 
2020-10- 
13T05:20:00.6030247Z 


2020-10- 
13T05:20:00.6030247Z 


vw: 


r 

— cesso 

Registry AC 

Provides access to registry using the Windows API. 
Keys are like directories and Values are files. 


Since Values are typically small, they are also retrieved as a result of a 
directory listing - in most cases there is no need to download content 
explicitly. 


Note that registry mapping occurs so take care when accessing virtual 
keys like HKEY CURRENT USER or HKEY USERS 


i 


5 
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+ 


3 desktop-ng2qvog 
E 
= 


Be C. 

| ( 

Ba 

E Environ 
| | 

| B 

| EST 

e» EA 


Q £sShowAIl 


= aR BR 
$ Name 


Path 


TEMP 


TMP 


Stats Textview 


\HKEY_USERS\S-1-5-18\Environment\Path 


Size 
Mode 
Mtime 
Atime 
Ctime 


Fetch from 
Client 


66 


66 


Mode $ 


-IWXI-XI-X 


-IWXI-XI-X 


-IWXI-XI-X 


HexView 


-IWXI-XI-X 
2019-12-07T09:15:07.4870307Z 
2019-12-07T09:15:07.4870307Z 


DESKTOP-NG2QVOG @ connected die 
mtime $ atime $ ctime $ btime + 
2019-12- 2019-12- 2019-12- 2019-12- 


07T09:15:07.4870307Z 07T09:15:07.4870307Z 07T09:15:07.4870307Z 07T09:15:07.4870307Z 


2019-12- 2019-12- 2019-12- 2019-12- 
07T09:15:07.4870307Z 07T09:15:07.4870307Z 07T09:15:07.4870307Z 07T09:15:07.4870307Z 


2019-12- 2019-12- 2019-12- 2019-12- 
07T09:15:07.4870307Z 07T09:15:07.4870307Z 07T09:15:07.4870307Z 07T09:15:07.4870307Z 


Properties 


EXPAND SZ 


%USERPROFILE%\AppData\Local\Micr 
osoft\WindowsApps; 


2019-12-07T09:15:07.4870307Z 


&3 Collect from the client 


-25CK4TB localdomain @ 


[= 7. Synced 246000 files M 


^ ^ 


Size + Mode +  mtime $ atime $ 


NETFramework drwxr-xr-x 2020-10- 2020-10- 
12T12:06:08.0719712Z 12T12:06:08.0719712Z 


2019-12- 


12- 
15:15.2842061Z 07T09:15:15.2842061Z 


9 


ADs drwxr-xr-x 9 


drwxr-xr-x 2019-12- 
T09:15:15.2842061Z 


drwxr-xr-x 


::15.2842061Z 


drwxr-xr-x 2020-10- 2020-10- 
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Artifacts accessor 


This shows the artifacts collected from the endpoint grouped by artifact 


This is useful to see the timeline of the same artifact collected at different 
times. 


m. 


4) 
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+ 


Basicinformation json 


a Users json 1046 


Stats Textview HexView 


("Name":"velociraptor","BuildTime":"2020-10-22T123:03:33410:00" 
; Labels":null, "Hostname": DESKTOP -25CKATB" , "OS": "windows" 
; Architecture": "amd64","Platform": "Microsoft Windows 10 
Enterprise Evaluation","PlatformVersion":"10.0.19041 Build 19041" 
; KernelVersion":"","Fgdn": "DESKTOP -25CKA4TB. localdomain" 
, ADDomain":"WORKGROUP") 
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| ace 
Navigating the interfac 


Click the "Refresh this directory" will schedule a directory listing artifact 
and wait for the results (usually very quick if the endpoint is online). 


The "Recursively refresh this directory" will schedule a recursive refresh - 
this may take some time! After this operation a lot of the VFS will be 
pre-populated already. 


"Collect from client" will retrieve the file data to the server. After which, the 
floppy disk sign indicates that we have file data available and you can 
click the “Download” link to get a copy of the file. 


i 


5 
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+ 


how All DESKTOP-25CK4TB localdomain @ E "— 


Refresh directory from endpoint 
(can be done recursively) 


* size + Mode + mtime + atime + ctim 


1048576 -rw-rw-rw- 2020-10- 2020-10- 2020 
14T08:42:07.92299597 14T08:42:07.92299597 12T1 


NTUSER.DAT(53b39688-18c4-116a-a811- 65536 -rw-rw-rw- 2020-10- 2020-10- 2020 
000d3aa4692bj. TM.bIf 12711:35:10.417672Z 19108:12:30.2258161Z 12T1 


524288 -rw-rw-rw- 2020-10- 2020-10- 2020 


b 


Stats Textview HexView 


C:\Users\testiNTUSER DAT Properties 


Size 1048576 
Mode -W-IW-IW- Remember that the VFS view is 


Mtime 2020-10-14T08:42:07 92299597 simply a server side cache of 
Atime 2020-10-14T08:42:07.9229959Z information we know about the 
Ctime 2020-10-12T11:34:31.5787883Z endpoint - it is usually out of 


Last Collected 020-49-22-44-38-7 UTC date! 


endpoint 
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ine user activity 
—À Determ! 
Exercise: 
Task: We suspect a user account had been compromised. 


Did the user download malware? 


D Freely explore the interface to answer this question 
D Useful artifacts include 
Q Download directory content 


Q Internet browser history 


Q Temporary files 


| 


9 
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E 


— Ÿ desktop-ng2qvog 


95 


Q ÆShowAI 


Low 


Python 3.8.1 (64-bit) 20210119005306.log 


DESKTOP-NG2QVOG @ mic 


23T03:06:46.1440172Z 23T03:06:46.1440172Z z 


0 drwxrwxrwx 2021-01- 2021-01- 


01T07:58:51.8916597 247T13:36:22.02368957 


75578 -rw-rw-rw- 2021-01- 2021-01- 


19T08:54:20.2031764Z 19T08:54:20.2031764Z 


Python 3.8.1 (64-bit) 20210119005306 000 core AllUsers.log 87788 -rw-rw-rw- 2021-01- 2021-01- 


19T08:53:12.5169604Z 19T08:53:12.5169604Z 


Python 3.8.1 (64-bit) 20210119005306 001 dev AllUsers.log 341836 -rw-rw-rw- 2021-01- 2021-01- 


Stats Textview HexView 


C:\Users\test\AppData\Local\Temp\Python 3.8.1 (64- 
bit) 20210119005306.log 


Size 75578 

Mode -IW-TW-FW- 

Mtime 2021-01-19T08:54:20.2031764Z 
Atime 2021-01-19T08:54:20.2031764Z 
Ctime 2021-01-19T08:54:20.2031764Z 
Last Collected 2021-01-24 13:40:00 UTC & 
Fetch from 


© Re-Collect from the client 
Client 


Propert 


SHA25 


MD5 


1OTOR:53:14 75140057 109TOR: 53:14 75140057 7 
> 


The VFS view is similar to many 
other forensic packages. This 
makes it easier to use but it is 


very much less effective than 
writing artifacts! 


9) 


V 
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velocirapto' artifacts 


Velociraptor is just a VQL engine! 


We package VQL queries in Artifacts: 

YAML files 

Include human description 

Package related VQL queries into "Sources 
Take parameters for customization 

Can in turn be used in VQL as well... 


Ù O O O L 


oe 


9 


v 
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= $ | Search cie Q ÆShowAl DESKTOP-25CK4TB.localdomain @ a admi 


+ Wc 
State $ Flowld tifa $ Created $ Last Active $ z Uploaded Mb $ Rows $ 
F.BU8PIJAHQQ904 System.VFS DownloadFile 2020-10-22 14:38:05 UTC 2020-10-22 14:38:07 UTC admin 1 
4 F.BUSPIEKMHDUKA System.VFS.ListDirectory 2020-10-22 14:37:46 UTC 2020-10-22 14:37:47 UTC admin 31 
F.BUSPI6P9MJD20 System.VFS ListDirectory 2020-10-22 14:37:15 UTC 2020-10-22 14:37:17 UTC admin 31 
$ 
Artifact Collection Uploaded Files Requests 
| Overview Results 
| 
Artifact Names System.VFS.ListDirectory System. VFS.ListDirectory 
Flow ID F.BU8PIEKMHDUKA 37 
Creator admin 0/0 
Create Time 2020-10-22 14:37:46 UTC Files uploaded 0 
Start Time 2020-10-22 14:37:47 UTC Download Results 5- 
Last Active 2020-10-22-r3T"PUTC . . 
Duration 0.03 Seconds Available Downloads Refresh l ng the VFS SI m ply 
State FINTSHET Name + sm 4 Schedules new artifacts to be 
Ops/S Unlimited it ici 
sia — collected - it is just a GUI 
Timeout 600 seconds A 
Max Rows 1m rows conven lence. 
iii now This also means we have a 
Parameters complete audit of users 
Path C:/Usersitest = 
refreshing the VFS 
Accessor file 
Depth 
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expe 
Velociraptor Lo f fin "d the evidence 
knowle 


A key objective of Velociraptor is encapsulating DFIR knowledge 
into the platform, so you don't need to be a DFIR expert. 


LJ We have high level questions to answer 
J We know where to look for evidence of user / system activities 


We build artifacts to collect and analyze the evidence 
in order to answer our investigative questions. 


EA 


4 
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'« superpowe" 


An artifact is a YAML file ... 


LI 
n" 
n 
" 


(therefore user-readable, shareable and editable) 
... that answers a question ... 


... by collecting data from the endpoint ... 
... and reporting on this data in a human readable way. 


Artifacts encode expert knowledge into 
human reusable components. 


100 
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«) 


à 


E 


m. 


CN 


+ / 8 À 


Windows.System.TaskScheduler : SM 
CC Artifact Description 


The Windows task scheduler is a common mechanism that malware uses for persistence. It can be used to run arbitrary 
programs at a later time. Commonly malware installs a scheduled task to run itself periodically to achieve persistence 


This artifact enumerates all the task jobs (which are XML files). The artifact uploads the original XML files and then analyses 
them to provide an overview of the commands executed and the user under which they will be run 


Parameters 
Name Default 


TasksPath 


c: /Windows/System32/Tasks/** 


AlsoUpload 
Source Analysis 


LET Uploads = SELECT Name, FullPath, if( 
condition-AlsoUpload- Y', 
then-upload(file-FullPath)) as Upload 

FROM glob(globs-TasksPath) 

WHERE NOT IsDir 


Actual VQL source 


LET parse task - select FullPath, parse xml( 


accessor='data', 


DESKTOP-25CK4TB.localdomain 


@ e admin 


Windows.Packs Autoexec 


Windows.Remediation ScheduledTasks 


Windows. System. TaskScheduler 


Artifact Search area. 


New Collection: Select Artifacts to collect 


Windows.System.TaskScheduler 


ient 


task 


Windows.Packs.Autoexec dows task scheduler is a common mechanism that malw ises for 
It can be used to run arbitrary programs at a later tir >ommonly 


Windows Remediation. ScheduledTasks malware installs a scheduled task to run itself periodically to achieve per 


This artifact enumerates all the task jobs ch are XML files). The artifact 
the original XML files and then analy them to provide an o 
the commands executed and the user under which they will be run 


Windows System TaskScheduler 


Parameters 
Name Type Default 


TasksPath 


, 
FullPath)) as Upload 
sPath) 


SCENE ES Configure Parameters Specify Resorces Review Launch 


To collect a new 
artifact, from the 
Collected Artifacts 
screen, click 
Collect new 
artifact and 
search for it. 
Select Add to add 
it to this 
collection. When 
finished simply 
click Next. 
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New Collection: Configure Parameters 


-  Artifact 


-  Windows.System.TaskScheduler 


TasksPath c:/Windows/System32/Tasks/** 


AlsoUpload 


o 
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ifacts 
Velociraptor artifact 


Velociraptor comes with a large number 
of artifact types 
1. Client Artifacts run on the endpoint 


Depending on context, the 


2. Client Event artifacts monitor the GUI artifact search screen 
. ill only show the relevant 

en d po | nt Eee ES : 
3. Server Artifacts run on the server ERIS 
4. Server Event artifacts monitor for shows all types as well as 


details about each one. 


events on the server. | 
9) 
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DESKTOP-25CK4TB localdomain @ 


2 B 


Uploaded 
State > Flowld tifacts + Created > Last Active + Creator + Mb 


F.BU8PNFGOHVISA Windows System. TaskScheduler 2020-10-22 14:48:30 2020-10-22 14:48:39 admin 
UTC UTC 


FBUSPIJAHQQ904 = System. VFS DownloadFile 2020-10-22 14:38:05 2020-10-22 14:38:07 admin 


ute ute 


Artifact Collection Uploaded Files Requests Results Log 


Overview Results 


Artifact Names Windows.System.TaskScheduler Artifacts with Results Windows.Syst{ All artifacts prod uce rows 


Flow ID FBU8PNFGOHVISA Total Rows 195 since they are just queries. 


. | Some artifacts also upload 
Create Time 2020-10-22 14:48:30 UTC Files uploaded 195 M 
Start Time 2020-10-22 14:48:31 UTC Download Results we files. You CEU create a 
Last Active 2020-10-22 14:48:39 UTC download zip to export all 


Duration 1.21 Seconds Available Downloads the uploaded files. 
State FINISHED Name $ Size (Mb) + 


Creator admin Uploaded Bytes 621156 / 6211] 


Ops/Sec Unlimited 
Timeout 600 seconds 


Max Rows 1m rows 
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2 m5 


State >  Flowid 


v 


how All 


+ Created 


^ 
v 


DESKTOP-25CK4TB.localdomain @ 


Uploaded 
Last Active > reator + Mb 


FBUSPNFGOHVISA Windows System TaskScheduler 2020-10-22 14:48:30 2020-10-22 14:48:39 admin 


F.BU8PIJAHQQ904 Syster 


m.VFS.DownloadFile 


Artifact Collection Uploaded Files Requests Resu 


Uploaded Files 


mz ii X 
vfs path 
clients/C.e918dd461d043db2/co 
clients/C.e918dd461d043db2/col 


clients/C.e918dd461d043db2/col 
908305190-2181907579-1001 


clients/C.e918dd461d043db2/col 
clients/C.e918dd461d043db2/col 


clients/C.e918dd461d043db2/co 


ections/F.BUSPNFGOHV 


ections/F BU8PNFGOHV 


ections/F.BU8PNFGOHVISA/uploads/fi 


ections/F.BUSPNFGOHVISA/uploads/fi 


UTC 


UTC 


2020-10-22 14:38:05 2020-10-22 14:38:07 admin 


ute 


Its Log 


ections/F BU8PNFGOHVISA/uploads/file 


SA/uploads/fi 


ute 


The uploads tab shows 
the file's location on the 
server. 


o AWindows/System32/Tasks/GoogleUpdateTaskMac 


o. Windows/System32/Tasks/GoogleUpdate TaskMac You can download each 


ections/F.BU8PNFGOHVISA/uploads’/file/C:/Windows/System32/Tasks/OneDrive Standalone Uj 


SA/uploads/file/C:/ 


e/C 


one individually. 


C:/Windows/System32/Tasks/Microsoft/XblGameSave 


Windows/System32/Tasks/Microsoft/Windows/DUS 


Windows/System32/Tasks/Microsoft/Windows/SharedPC/Account Cleanup 
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Q BShowAll 


e 15 


State + Flowld 


^ 


+ Created $ 


v FBU8PNFGOHVISA Windows.System.TaskScheduler 2020-10-22 14:48:30 


F.BU8PIJAHQQS 


Artifact Collection Uploaded Files Requests 


Client logs 


e ~ 
Timestamp 
0-22 14:48:30 UTC 
)-22 14 


2 14:48:39 UTC 


Showing rows 1 to 


UTC 


Results 


message 


val: Starting query ex 


Time 


Uploade 


Uploaded 
Last Active + itor Mb 


2020-10-22 14:48:39 admin 
UTC 


admin 


ysis: Sending r 


As the query is running on the 
endpoint any log messages are 
sent to the server. 

Click the log tab to see if there 
were any errors and how many 
rows are expected. 
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desktop-ng2qvog Q BshowAll 


m oc b 


Viewing th It 
+ Flowld fact Created $ Last Active $ 8 
Windows.Forensics.Prefetch 2021-01-22 04:22:01 2021-01-22 04:22:05 mic 2 ta b S h O WS t h e 
Windows. Sys.Users UTC UTC 


Windows. System. TaskScheduler 2021-01-22 04:20:52 zozoa 04:20:55 mic 9 fro m eve ry 
Artifact Collection Uploaded Files Requests results Log Notebook a rt i fa ct a n d SO u rce 
e 


E 
Source Selector 


Gid Name Description Directory 


513 Administrator Built-in account for administering the computer/domain [] 


513 Default A user account managed by the system. 


2947093465- 
2871365475- 


9 


e 
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Ÿ desktop-ng2qvog Q Bshowall DESKTOP-NG2QvOG @ 


+ m NB 


+ Flowld Artifact > Created + Last Active + 


Windows.Forensics.Prefetch 2021-01-22 04:22:01 2021-01-22 04:22:05 mic 
Windows. Sys.Users UTC UTC 


Windows.System.TaskScheduler 2021-01-22 04:20:52 2021-01-22 04:20:55 mic 


Artifact Collection Uploaded Files Requests Results Log Notebook 


Overview Results 


Extract + DESKTOP-NG2QVOG-C.56505d2ba2d63ace-F.CO555QFN5V9RM.zip 


Artifacts with Windows.Sys.UsersWindows.Forensics.Prefetc 
< > f Location: fm /clients/DESKTOP-NG2QVOG/artifacts/Windows.Forensics.Prefetch/ Results 
~ DESKTOP-NG2QVOG-C.56505d2ba... Name - Size Type 
+ clients F.C0555QFN5V9RM.csv 58.5 kB CSV document 

~  DESKTOP-NG2QVOG F.C0555QFN5V9RM.json 88.9 kB JSON document 
- artifacts Files uploaded 


Total Rows 


Uploaded Bytes 


: Download Results 
indows.Sys.Users 


~ collections 
F.C0555QFN5V9RM Available Downloads Prepare Download 


Prepare Collection Report 


Ops/Sec Unlimited (Mb) Date 
Timeout 600 seconds O 2021-01- 
Max Rows 1m rows 22704:26:112 


Max Mb 1000.00 Mb 


Parameters 


Ÿ desktop-ng2qvog Q = Showall DESKTOP-NG O [c 
ENG 
+ = 2 b 
State + Flowid > Created + Last Active + E Mb $ Rows $ 
v Windows.KapeFiles.Targets 2021-01-22 04:29:10 UTC 2021-01-22 04:29:15 UTC mic 67 296 
v Windows.Forensics.Prefetch 2021-01-22 04:22:01 UTC 2021-01-22 04:22:05 UTC mic 237 
Windows.Sys.Users 
Artifact Collection Uploaded Files Requests Results Log Notebook 
Uploaded Files 
m- i 
| Timestamp started ile size uploaded size 
1611289753 2021-01-22 9632 69632 
04:29:13.876873785 
+0000 UTC 
1611289753 2021-01-22 69632 69632 
04:29:13.876889892 
+0000 UTC 
1611289753 2021-01-22 69632 69632 
04:29:13.876896039 
+0000 UTC 


1611289753 2021-01-22 
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Viewing and 
rtifacts 


searching: 
Modifying 3 
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view artifacts 


Artifacts are just YAML files HORS 
The “View Artifacts” screen allows users to explore the 
different available artifacts. 


While most users will just collect existing ones, we 
expect power users to customize and write their own 
artifacts from scratch. 


EA 


+ 
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ge 
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L1] 
77 


wu BB WU N kB 


programs at a later time. Commonly m: 


how All 


Windows.System.TaskScheduler 


Type: client 


Description and Info 


Parameters 


Name Default 


TasksPath c: /Windows/System32/Tasks/** 


AlsoUpload Available customization 


Source Analysis 


LET Uploads - SELECT Name, FullPath, if( 
condition-AlsoUpload-'Y', 
then-upload(file-FullPath)) as Upload 

FROM glob(globs=TasksPath) 

WHERE NOT IsDir 


LET parse task - select FullPath, parse xml( 
accessor-'data', 
file-regex replace( 
source=utf16(string=Data), 


DESKTOP-25CK4TB localdomain 


The Windows task scheduler is a common mechanism that malware uses for persistence. It can be used to run arbitrary 


achieve persistence 


This artifact enumerates all the task jobs (wien are Amici mes). 11e arwa upivaus uie urigiiar XML files and then analyses 
them to provide an overview of the commands executed and the user under which they will be run 


IS) 


Windows.Packs.Autoexec 
Windows.Remediation.ScheduledTasks 


Windows.System.TaskScheduler 


Search box 
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Edit Windows.System.TaskScheduler 


name : Custom.Windows.System.TaskScheduler 
- description: 


- parameters: 
- name: TasksPath 
default: c:/Windows/System32/Tasks/** 
- name: AlsoUpload 
type: bool 


- sources: 
- name: Analysis 


User artifacts must have the 
prefix "Custom.". You can 
collect the original or the 
customized version as you 
please. 


EJ Close 
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rd 
. ina the dashboàa 
The main server dashboard is just an artifact called 
Server.Monitor.Health ! 


You can therefore modify it. 
| usually put the name of the deployment prominently 


and/or links to MSI or client config files - we have so 
many different deployments it is hard to keep track! 


isi 


a 
V 
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Edit Server.Monitor. Health 
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o 


Server statis (My Spe Server) 


The following are total across all frontends 


CPU and Memory Utilization 


Currently C 


admin 


El Last Day ~ 


The template contains 
markdown composed from 
Golang Template Language. 
You can also run VQL in 
dashboards! 
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Everywhere |: 


ere 


Hunting every 
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Hunting 
Collecting the same artifact from many endpoints is 
called "hunting". 
A hunt is just a logical container for many individual 


collections 

LJ You can download all collections at the same time 

M You can see how many endpoints participated 

_J You can select which machines will participate based 
on labels, OS or other conditions. 


RT 


9 


v 
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Hunting 


Velociraptor hunts are always active until they expire 
Endpoints not currently online will receive the hunt when 
they check in next. 

Therefore the result set is always changing - you can 
prepare a new download to obtain the latest version of 
the hunt results. 


RT 


» 


v 
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re 
erywhe 
rcise - collect tasks eV ry 

Exe 


Repeat the previous artifact collection as a hunt. 


This captures the state of the deployment at a point in time when the hunt 
was collected. 


oe 


+ 
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New Hunt - Configure Hunt 


Description Task schedule hunt 


Expiry [10/29/2020 7:55 AM v X [I| 
Include Condition Run everywhere 


Exclude Condition Run everywhere 


o 
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i | New Hunt - Configure Hunt 


Description Hunt For all Scheduled tasks 


Expiry [1/29/2021 2:31 PM+ X O 
Include Condition Match by label 


Include Labels 


first 
Exclude Condition 


J firstiabe Velociraptor just collects 
artifacts - the artifact selection 
GUI is a repeating theme thats 
works the same way in different 
contexts! 


You can target hunts at specific 
label groups or OS. 
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Create Hunt: Select artifacts to collect 


Windows.System.TaskScheduler 


Type: client 


The Windows task scheduler is a common mechanism that malware uses for 
persistence. It can be used to run arbitrary programs at a later time. Commonly 
malware installs a scheduled task to run itself periodically to achieve persistence 


This artifact enumerates all the task jobs (which are XML files). The artifact 
uploads the original XML files and then analyses them to provide an overview of 
the commands executed and the user under which they will be run 


Parameters 
Name Default 


TasksPath c:/Windows/System32/Tasks/** 


AlsoUpload 
Source Analysis 


SELECT e, FullPath, if( 


- > 


t upload( th)) as Upload 
FROM glob(gl as th) 


ru 


1 
2 
3 c Jr 
à 
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= Show All DESKTOP-25CK4TB.localdomain @ connecte admin 


Run this hunt? 


State Hunt ID Description Are you sure you w un this hunt? "s Limit Scheduled Creator 


H.5bed8104 Task schedule hunt 03-17 17:10:24 UTC admin 


Overview Requests Results Clients Status 


Overview Results 


Artifact Names Windows.System.TaskScheduler Total scheduled 
Hunt ID H 5bed8104 Finished clients 
Grantor SUUM Download Results 
Creation Time 2020-10-22 14:56:57 UTC 

Expiry Time 52798-03-17 17:10:24 UTC Avanti Downloads 
State PAUSED — 

Ops/Sec Unlimited 


Parameters 


© 2020 Velocidex Enterprises ) V 1 


= Ÿ desktop-ng2qvog 


Q BshowAll 


DESKTOP-NG2QVOG @ 


+ b B 45s +858 
State Hunt ID ptic Created $ Started $ Expires $ Limit Scheduled Creator 
x H.d12438e6 Hunt For all Scheduled tasks 2021-01-22 04:46:04 UTC 2021-01-22 04:46:20 UTC 2021-01-29 04:46:00 UTC 2001 mic 
z H.a8fb5253 a8fb 2021-01-19 04:20:29 UTC 2021-01-19 07:08:54 UTC 2021-01-26 04:19:54 UTC 4002 mic 
& H.84858371 848 2021-01-19 03:30:53 UTC 2021-01-19 03:30:53 UTC 2021-01-26 03:30:53 UTC 2000 mic 
X H.4cicee7b System.VFS.ListDirectory 2021-01-19 01:48:59 UTC 2021-01-19 01:49:03 UTC 2021-01-26 01:48:46 UTC 4002 mic 
Overview Requests Clients Notebook 
Overview Results 
Artifact Names Windows.System.TaskScheduler Total scheduled 2001 
Hunt ID H.d12438e6 Finished clients 402 
Creator mic Download Results E- 
Creation Time 2021-01-22 04:46:04 UTC 
Expiry Time 2021-01-29 04:46:00 UTC Available Downloads 
State RUNNING name $ size $ date 
Ops/Sec Unlimited 
Parameters 


Windows.System.TaskScheduler 


V, 
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Extract + H.d12438e6.zip On — E o x 


< > @ Location: Œ /All Windows.System.TaskScheduler/ 


- H.d12438e6.zip Name a Type Modified 
All Windows. System. TaskScheduler Analysis.json MB JSON doc... 01 January 1970, 10:00 
- clients 
~  DESKTOP-NG2QVOG 
- artifacts 
~  Windows.System.TaskSchedu... 
F.C055HA605LDRO 
+ collections 
F.C055HA605LDRO 
~  DESKTOP-NG2QVOG-1 
- artifacts 
~  Windows.System.TaskSchedu... 
F.C055H920R7C46 
>» collections 


Artifact Names Windows.System.TaskScheduler Total scheduled 
Hunt ID H.d12438e6 Finished clients 
Creator mic Download Results 
Creation Time 2021-01-22 04:46:04 UTC 

Expiry Time 2021-01-29 04:46:00 UTC Available Downloads 


State RUNNING name $ size $ 
Ops/Sec Unlimited um 151081344 | When hunting large numbers of 


Parameters end points data grows quickly! 


Windows.System.TaskScheduler 
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Stop Hunt | 


v 


all 


Notebook 


= | Overview | Requests | Clients 


[ connected 


Ms LES 
© State Hunt ID Description + Created + Started + Expires + Limit Scheduled Creator I 
# a H.C26MFTPBV2M91 task scheduler 2021-05-01 14:38:47 UTC 2021-05-01 14:38:55 UTC 2021-05-09 07:31:40 UTC 1000 mic 

© 


a css 
a 5 SELECT * , count() AS Count 
= 4 FROM hunt results( 
3 artifact-'Windows.System.TaskScheduler/Analysis', 
D 2 hunt_id= 'H.C26MFTPBV2M9I') 
i 1 WHERE Command =~ "cmd.exe" 


6* GROUP BY Command, Ar 


uments 


FullPath Command Arguments  ComHandier Userid 
C:\Windows\System32\Tasks\Microsoft\Windows\Workplace %SystemRoot%\System32\dsregemd.exe $(ArgO) S-1-5-18 
Join\Automatic-Device-Join $(Arg1) 

$(Arg2) 
C:\Windows\System32\Tasks\Microsoft\Windows\Workplace %SystemRoot%\System32\dsregcemd.exe /checkrecovery 
Join\Recovery-Check 
C:\Windows\System32\Tasks\T1053_005_OnLogon cmd.exe /c calc.exe DESKTOP- 

VBCQLNM\test 


Bis c sero rose T HCM 


Query Stats: ("RowsScanned":196000,"PluginsCalled":1,"FunctionsCalled":3000,"ProtocolSearch":0," ScopeCopy":395001) 


Flowid Clientid Fqdn Count 
F.C26MGOINHRR9C C.b5e149830d130b13 DESKTOP- 1000 
VBCQLNM- 
381 


F.C26MGOINHRR9C C.b5e149830d130b13 DESKTOP- 1000 
VBCQLNM- 
381 


You can post process the hunt 
results directly in the hunt 


F.C26M| 


notebook 


em 


LV 
DV. 
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Reverse Proxy 


The Velociraptor 


Velociraptor has a built in reverse proxy 


_J This allows us to serve other web applications 
through the Velociraptor server. Velociraptor will take 
care of authentication and SSL for free. 

_J It is useful to export the filestore so users can just 
download the files they want. 
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ee 


9 


v 


GUI: 
reverse proxy: 
- route: /files/ 
url: file:///var/tmp/velociraptor/clients/ 
réduire auth: trus 


oot@server-1:/home/mike# vi /etc/velociraptor/server.config.yaml 

root@server-1:/home/mike# service velociraptor server restart 

root@server-1:/home/mike# service velociraptor server status 

» velociraptor server.service - Velociraptor linux amd64 
Loaded: loaded rete Sys OR sys Cem VETO Crap ior. server.service; enabled; vendor preset: enabled) 
Active: active ning) since Mon 2020-02-03 02:05:56 UTC; 938ms ago 


Main PID: 24029 icon 
Tasks: 7 (limit: 4915) 
: /system.slice/velociraptor server.service 
L-24029 /usr/local/bin/velociraptor --config /etc/velociraptor/server.config.yaml frontend 


Browse the internal file store and note the location of different files. 


@ https://vm1.training.v x | + 


€ > GC à vmitraining.velocidex.com/files/C.c25c214ac8c529d9 


artifacts/ 
collections/ @ https://vm1.training.v x + 
key.db 

monitoring/ 

ping.db EG 
tasks/ 

vfs/ Generic.Client. Info/ 


@ vm1.training.velocidex.com/files/C.c25c214ac8c529d 


vfs files/ System. VFS .DownloadFile/ 
System. VFS.ListDirectory/ 


@ https://vm1.training.y x + 


€ > C @ vm1.training.velocidex.com/files/C.c25c214ac8c 


BasicInformation.csv 
Users.csv 
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It is really important that auth is required! 


Test this twice! 
Try to get one of the URLs with no authentication using 


curl - it should redirect to the auth screen. 


root@server-1:/home/mike# curl https://vml.training.velocidex.com/files/C.81bf6660b9db0193/artifacts/ 


«a hrefz"/auth/google/login"»Temporary Redirect</a>. 


root@server-1l:/home/mike# curl https://vml.training.ve 


«a href="/auth/google/login">Temporary Redirect</a>. 


APA 
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Conclusions 

In this module we introduced Velociraptor - a powerful 
endpoint visibility solution 

We mentioned that Velociraptor is based on VQL - a 
flexible query language 

We installed Velociraptor in a cloud deployment, 
prepared custom MSI packages and distributed them 
using group policy to our endpoints. 


RT 


» 


v 
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Conclusions 

We introduced the Velociraptor GUI 

LJ The Virtual Filesystem abstraction (VFS) provides 
server side caching of the client's filesystem 
D We can navigate and refresh our view of the client's filesystem 

in a familiar way. 

LJ We learned about artifacts as a way of encapsulating 
VQL queries in a human readable, functionally 
focused YAML file. 


RT 


» 
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Conclusions 
M We learned how artifacts can be collected from one 
end point 
D Exporting the collection into a zip file can archive the files 
collected and query results as CSV files. 


_J Leveling up, we can collect the same artifact from 
many systems. This is called a hunt. 


LJ Exporting the hunt as a Zip file allows large collections to be 
archived as a snapshot from the entire deployment. 


RT 
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